Letsencrypt Docker unable to get local issuer certificate

As per usual I am pulling my hair out as I can not seem to get the result I want.

I am back just testing with virtualbox and a new install of nextcloud & debian 8

@Ark74 kindly fixed the install I was trying to setup for a community center and though I would spend the time and get it working here.

I am using the devicemapper rather than aufs and that isn’t my problem its with certs.

If I curl from the container to https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=edit

I get curl: (60) SSL certificate problem: unable to get local issuer certificate

I have added the root and type3 certs to both host and container and run update-ca-certificates

Whatever I do I get the same curl: (60) SSL certificate problem: unable to get local issuer certificate if I try something like the above.

How do I get docker to trust the the nextcloud certs?

As I am just using curl as a test but the errors I am getting I presume are down to certs and letsencrypt.

wsd-00025-0028 0:03:16.051729 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00025-0029 0:03:17.115053 [ client_ws_0002 ] ERR  WOPI::CheckFileInfo is missing JSON payload
wsd-00025-0029 0:03:17.115487 [ client_ws_0002 ] ERR  Invalid fileinfo for URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=edit].| wsd/DocumentBroker.cpp:313
wsd-00025-0029 0:03:17.115526 [ client_ws_0002 ] ERR  Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=edit].| wsd/DocumentBroker.cpp:555
wsd-00025-0029 0:03:17.115601 [ client_ws_0002 ] ERR  Error in client request handler: Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=edit].| wsd/LOOLWSD.cpp:1019
wsd-00025-0029 0:03:17.276219 [ client_ws_0003 ] ERR  WOPI::CheckFileInfo is missing JSON payload
wsd-00025-0029 0:03:17.277054 [ client_ws_0003 ] ERR  Invalid fileinfo for URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:313
wsd-00025-0029 0:03:17.277377 [ client_ws_0003 ] ERR  Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:555
wsd-00025-0029 0:03:17.277688 [ client_ws_0003 ] ERR  Error in client request handler: Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/LOOLWSD.cpp:1019
wsd-00025-0026 0:03:30.488397 [ client_ws_0004 ] ERR  WOPI::CheckFileInfo is missing JSON payload
wsd-00025-0026 0:03:30.488743 [ client_ws_0004 ] ERR  Invalid fileinfo for URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:313
wsd-00025-0026 0:03:30.488827 [ client_ws_0004 ] ERR  Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:555
wsd-00025-0026 0:03:30.489036 [ client_ws_0004 ] ERR  Error in client request handler: Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/LOOLWSD.cpp:1019
wsd-00025-0028 0:04:07.356491 [ client_ws_0005 ] ERR  WOPI::CheckFileInfo is missing JSON payload
wsd-00025-0028 0:04:07.356771 [ client_ws_0005 ] ERR  Invalid fileinfo for URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:313
wsd-00025-0028 0:04:07.356797 [ client_ws_0005 ] ERR  Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:555
wsd-00025-0028 0:04:07.356832 [ client_ws_0005 ] ERR  Error in client request handler: Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/LOOLWSD.cpp:1019
wsd-00025-0028 0:04:07.357557 [ client_ws_0005 ] ERR  ClientRequestHandler::handleClientRequest: SSL Exception: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry| wsd/LOOLWSD.cpp:1211
wsd-00025-0026 0:04:37.970233 [ client_ws_0006 ] ERR  WOPI::CheckFileInfo is missing JSON payload
wsd-00025-0026 0:04:37.970574 [ client_ws_0006 ] ERR  Invalid fileinfo for URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:313
wsd-00025-0026 0:04:37.970653 [ client_ws_0006 ] ERR  Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/DocumentBroker.cpp:555
wsd-00025-0026 0:04:37.970779 [ client_ws_0006 ] ERR  Error in client request handler: Failed to load document with URI [https://nextcloud.vote4u.org.uk/index.php/apps/richdocuments/wopi/files/13_oclpba2urj1k?access_token=f7bz9kPZK45DQKPF9a5cOCMhqEfJaJd8&access_token_ttl=0&permission=readonly].| wsd/LOOLWSD.cpp:1019

Put any of those urls in a browser and the json is returned.
Curl from the host and the json is returned.
Curl inside the container and curl: (60) SSL certificate problem: unable to get local issuer certificate ?

Sure this is an easy one and once more its me being dumb!

Your certificate authenticate fine on my side. Can you share an open link.

No as the only place it doesn’t is from inside the docker container

Its why my Collabora isn’t connecting to documents.

Like I say you can, I can even on the host server curl works.

but docker exec -i -t [container-id] /bin/sh

curl the above in the container (docker) and the error and if you curl -k url to ignore ssl because of the apache settings you get nothing, which is probably to be expected.
Not sure why after importing the root & type3 cert and update-ca-certificates in the docker container curl still does not like the cert.

I have to ask about /nextcloud/resources/config/ca-bundle.crt as it looks like a list of root certs and with letsencrypt being relatively new does it need to be pasted there as still haven’t read up on exactly the function here.

I presume https://nextcloud.vote4u.org.uk/index.php/s/gqzqmyRHZtlROqK works but the only place that doesn’t is inside the collabora container.
Which isn’t something you would really do, but when wanting the json file info of the first link it is.

I found this article and quite a few more via a bit of Googling https://blog.rac.me.uk/2016/05/04/techy-getting-curl-to-work-with-lets-encrypt-unable-to-get-local-issuer-certificate-error/ but cannot not fix it.

Hi again.

I’ve got.to say that the CODE docker container is rather unknown to me. It handles so many things together that it’s easy to lose track of them.

So I would stick with the basics,

• Install docker
• pull image
• run container (with the long prefix)
• configure nextcloud host SSL
• configure code proxy with SSL
• enable app and set code proxy URL

Are you using valid SSL certs for your domains?
I got told many times that selfsigned certs won’t work. Also that docker container has its own cert to run internally.

Apache SSL certs are to handle the data from outside the container to tgr browser not within the container.

So I should say try to not modify it.

Hi @Ark74 finally I got it its because I am self hosting and really need a split DNS for internal and external.

I ran openssl s_client -connect nextcloud.vote4u.org.uk:443 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=0 C = CN, ST = Hubei, L = Wuhan, CN = talktalkrouter.lan
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = Hubei, L = Wuhan, CN = talktalkrouter.lan
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = CN, ST = Hubei, L = Wuhan, CN = talktalkrouter.lan
verify error:num=21:unable to verify the first certificate
verify return:1
—
Certificate chain
0 s:/C=CN/ST=Hubei/L=Wuhan/CN=talktalkrouter.lan
i:/C=CN/ST=Hubei/L=Wuhan/CN=root.home/emailAddress=mobile@huawei.com

Which is obviously my router and its hitting my public IP but the wrong way for port forwarding.

I added into /etc/hosts the ip and domain and then

openssl s_client -connect nextcloud.vote4u.org.uk:443 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = nextcloud.vote4u.org.uk
verify return:1
---
Certificate chain
 0 s:/CN=nextcloud.vote4u.org.uk
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Doh! I had edited the hosts files on the client, server and why I never thought of the docker container as a client, that also needs a hosts entry!!!

These are run from inside the container so…
docker exec -i -t [container-id] /bin/sh
Then run the above and edit /etc/hosts of the container

I LOVE YOU

I have spent 1 week trying to install code/nextcloud… I have tried debian, ubuntu, opensuse, nextcloud 10, 11, VM, non-VM, Apache, NGINX… every possible combination!! I was getting really depressed

Never crossed my mind to edit /etc/hosts of the docker container… IT WORKS NOW!

I was exactly the same for some reason it never computed that the docker container was a client just like all the rest.
I was editing hosts everywhere except in the container.

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.vote4u\\.org\\.uk' --dns=192.168.1.2 --restart always --cap-add MKNOD collabora/code

With the addition of a DNSserver entry --dns=192.168.1.2 which in my case is DNSMasq as after use wow what a simple small low overhead DNS/DHCP it is perfect if you have a small subnet where doing the hosts on all is a bit of a pain.

PS I did exactly the same even had Archlinux in the list, which I do like as its super small image, but I always struggle with it.
Debian works great as long as you swap out Aufs for Devicemapper with docker, Unbuntu if you add kernal extra’s and virtual images works well with Aufs.
When you get it going, its well worth the hassle, Nextcloud with Collabora is an extremely interesting homeCloud - workgroupCloud.

I did a Debian Tutorial after my experiences that I meant to be a complete Perfect Debian/Nextcloud/Collabora/DNSMasq/Fail2Ban/OpenVpn/Webmin/Ufw guide.

Got it finished to this point of the the first three and if anyone would like to copy complete, change and post for all us poor Nextcloud noobs, please do so.

If followed it will give you a working Debian 8 PHP7, MariaDB, Nextloud 11, Collabora 2